CSSCurrent en:Pointsharp Identity Provider Configuration: Unterschied zwischen den Versionen
Aus Cryptshare Documentation
Keine Bearbeitungszusammenfassung |
|||
| (25 dazwischenliegende Versionen von 2 Benutzern werden nicht angezeigt) | |||
| Zeile 1: | Zeile 1: | ||
== Pointsharp Identity Provider == | == Pointsharp Identity Provider == | ||
Cryptshare supports authentication via the | Cryptshare supports authentication via the Pointsharp Identity Provider for the '''Admin Interface.''' | ||
This feature allows administrators to integrate Cryptshare into an external Identity and Access Management (IAM) environment. | This feature allows administrators to integrate Cryptshare into an external Identity and Access Management (IAM) environment. | ||
The feature is | The feature is optional. When enabled, authentication via the local Cryptshare user database is disabled. It is always possible to revert back to local authentication by disabling the Identity Provider configuration. | ||
The Pointsharp Identity Provider integration is available since '''Cryptshare version 7. | The Pointsharp Identity Provider integration is available since '''Cryptshare version 7.5.0'''. | ||
The usage of the Pointsharp Identity Provider with Cryptshare requires a Cryptshare Enterprise License. If the feature is not enabled on your license yet, please get in contact with your [mailto:customer.success@pointsharp.com?subject=Licensing%20Cryptshare%20feature%20Electronic%20Identity%20%28eID%29&body=Dear%20Cryptshare%20Team%2C%0A%0APlease%20send%20me%20information%20about%20%22Electronic%20Identity%20%28eID%29%22.%0A Cryptshare sales representative] in order to request a new licence file. | |||
== Configuration == | == Configuration == | ||
Identity Provider authentication is configured using a configuration file. | Identity Provider authentication is configured using a configuration file and the Admin Interface. | ||
# The base URL used for redirects is configurable via the Admin Interface -> System Settings -> Connection. | |||
# Contact our support team to setup your Pointsharp Identity Provider. | |||
# Get the values from the IdP configuration and set them in the cryptshare.properties file. | |||
idProvider.clientSecret=<clientSecretFromIdP> | |||
idProvider.baseUrl=<idPUrl> | |||
idProvider.realm=<usedRealm> | |||
idProvider.clientId=<usedClientId> | |||
4. Any change to the Identity Provider configuration '''requires a restart of the Cryptshare service'''. | |||
Identity Provider authentication is enabled when the properties are set. | |||
Once this property is present, Cryptshare will use the configured Identity Provider for authentication to the Admin Interface. | |||
== Authentication Behavior == | == Authentication Behavior == | ||
When accessing the Admin Interface | When accessing the Admin Interface, the authentication flow behaves as follows: | ||
# The user is redirected to the configured Identity Provider. | # The user is redirected to the configured Identity Provider. | ||
# The user authenticates at the Identity Provider. | # The user authenticates at the Identity Provider. | ||
# After successful authentication, the user is redirected back to the Cryptshare Admin Interface. | # After successful authentication, the user is redirected back to the Cryptshare Admin Interface. | ||
[[Datei:Authworkflow.png|mini]] | |||
If the Identity Provider is unavailable or authentication fails, the login attempt fails. | If the Identity Provider is unavailable or authentication fails, the login attempt fails. | ||
| Zeile 42: | Zeile 43: | ||
=== User Existence === | === User Existence === | ||
* The user '''must exist in the Identity Provider''' | * The user '''must exist in the Identity Provider.''' | ||
* On first successful login: | * On first successful login: | ||
** A | ** A local Cryptshare Adminuser is created automatically. | ||
=== Groups and Roles === | === Groups and Roles === | ||
| Zeile 50: | Zeile 51: | ||
* Group information is provided by the Identity Provider (e.g. Active Directory groups). | * Group information is provided by the Identity Provider (e.g. Active Directory groups). | ||
* A standard role mapping is provided. | * A standard role mapping is provided. | ||
* Role mapping is configured | * Role mapping is configured exclusively in the Identity Provider. | ||
If role mapping is missing or invalid, login is denied. | If role mapping is missing or invalid, login is denied. | ||
== Logout Behavior == | == Logout Behavior == | ||
Logging out ends the '''local Cryptshare session only''' | Logging out ends the '''local Cryptshare session only.''' | ||
* No logout request is sent to the Identity Provider. | * No logout request is sent to the Identity Provider. | ||
* Single Logout is not supported. | * Single Logout is not supported. | ||
Aktuelle Version vom 19. Dezember 2025, 13:45 Uhr
Pointsharp Identity Provider
Cryptshare supports authentication via the Pointsharp Identity Provider for the Admin Interface.
This feature allows administrators to integrate Cryptshare into an external Identity and Access Management (IAM) environment.
The feature is optional. When enabled, authentication via the local Cryptshare user database is disabled. It is always possible to revert back to local authentication by disabling the Identity Provider configuration.
The Pointsharp Identity Provider integration is available since Cryptshare version 7.5.0.
The usage of the Pointsharp Identity Provider with Cryptshare requires a Cryptshare Enterprise License. If the feature is not enabled on your license yet, please get in contact with your Cryptshare sales representative in order to request a new licence file.
Configuration
Identity Provider authentication is configured using a configuration file and the Admin Interface.
- The base URL used for redirects is configurable via the Admin Interface -> System Settings -> Connection.
- Contact our support team to setup your Pointsharp Identity Provider.
- Get the values from the IdP configuration and set them in the cryptshare.properties file.
idProvider.clientSecret=<clientSecretFromIdP> idProvider.baseUrl=<idPUrl> idProvider.realm=<usedRealm> idProvider.clientId=<usedClientId>
4. Any change to the Identity Provider configuration requires a restart of the Cryptshare service.
Identity Provider authentication is enabled when the properties are set.
Once this property is present, Cryptshare will use the configured Identity Provider for authentication to the Admin Interface.
Authentication Behavior
When accessing the Admin Interface, the authentication flow behaves as follows:
- The user is redirected to the configured Identity Provider.
- The user authenticates at the Identity Provider.
- After successful authentication, the user is redirected back to the Cryptshare Admin Interface.
If the Identity Provider is unavailable or authentication fails, the login attempt fails.
User Handling and Role Mapping
User Existence
- The user must exist in the Identity Provider.
- On first successful login:
- A local Cryptshare Adminuser is created automatically.
Groups and Roles
- Group information is provided by the Identity Provider (e.g. Active Directory groups).
- A standard role mapping is provided.
- Role mapping is configured exclusively in the Identity Provider.
If role mapping is missing or invalid, login is denied.
Logout Behavior
Logging out ends the local Cryptshare session only.
- No logout request is sent to the Identity Provider.
- Single Logout is not supported.